Black Shades

One example of the Black Shades variant.

Image Source: Bleeping Computer

One example of the Black Shades variant.

Image Source: Bleeping Computer

Black Shades targets Windows OS and, although the current distribution method has not yet been verified, it is believed to be distributed as fake videos, cracks, and patches. Once it is executed on a system, it deletes Shadow Volume Copies to prevent file restoration. Black Shades then determines the victim’s IP address, creates a unique victim ID, and checks for Internet access. If it is unable to connect to the website http://icanhazip to verify the victim’s IP address, the program will crash. It encrypts targeted files using AES-256 and drops a file containing the victim ID, named YourID.txt, in each folder. Black Shades appends all encrypted files with the extension .silent and keeps a running tally of files on its C2 server. After the encryption process is completed, Black Shades attempts to delete itself from the infected system. This variant is unique in that its ransom demand is very low at $30 USD and it accepts payment via both PayPal and Bitcoin.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.